<?php
class ZSqlsafe {
        private $getfilter = "'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
        private $postfilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
        private $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
        /**
         * 构造函数
         */
        public static function index() {
        		$sqlsafe=new ZSqlsafe();
                foreach($_GET as $key=>$value){$sqlsafe->stopattack($key,$value,$sqlsafe->getfilter);}
                foreach($_POST as $key=>$value){$sqlsafe->stopattack($key,$value,$sqlsafe->postfilter);}
                foreach($_COOKIE as $key=>$value){$sqlsafe->stopattack($key,$value,$sqlsafe->cookiefilter);}
        }
        /**
         * 参数检查并写日志
         */
        public function stopattack($StrFiltKey, $StrFiltValue, $ArrFiltReq){
                if(is_array($StrFiltValue))$StrFiltValue = implode($StrFiltValue);
                if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue) == 1){   
                        $this->writeslog($_SERVER["REMOTE_ADDR"]."    ".strftime("%Y-%m-%d %H:%M:%S")."    ".$_SERVER["PHP_SELF"]."    ".$_SERVER["REQUEST_METHOD"]."    ".$StrFiltKey."    ".$StrFiltValue);
                        //echo "<script language='javaScript'>alert('您提交的是参数非法');history.go(-1);</script>";
                }
        }
        /**
         * SQL注入日志
         */
        public function writeslog($log){
        		//echo $log;exit;
                $log_path = Yii::getPathOfAlias('webroot').'/statics/upload/'.'sql_log.txt';
                $ts = fopen($log_path,"a+");
                fputs($ts,$log."\r\n");
                fclose($ts);
        }
}
?>